12

I'm developing web app based on Amazon API Gateway. Now I created Facebook login and successfully logged into website. but when I call another API, everything gone. I think I should pass Cognito token when call API everytime. am I right?

if yes, how to pass Cognito token to API? like header? or another way?

Thanks,

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
itulga
  • 175
  • 1
  • 2
  • 10
  • What do you mean by everything is gone? What information do you need about the caller inside the API Gateway API? – Scott Willeke Sep 18 '15 at 17:05
  • Would you be able to provide some sample code and error messages you are getting? – Mark Mercurio Sep 18 '15 at 20:07
  • @ScottWilleke my login page calls /doLogin API, then I get token and ID from Cognito. After that I go to the restricted page like profile, it calls /showProfile API. Right now /showProfile doesn't know I'm logged in or not. So gives me error "Missing Authentication Token". I think that I should send my token and ID to every API Gateway calls, but how to send them? header like "Amazon-Cognito-Token"? or another way? – itulga Sep 19 '15 at 16:26
  • @user2882027 am unclear of your set up exactly. Is the /doLogin returning the openId token from getOpenIdToken? Did you set up AWS_IAM authorization on your /showProfile API? If so, which credentials are you using to call it from the browser? Credentials from sts's assume role with the Cognito OpenId token? – Mark Mercurio Sep 20 '15 at 00:56
  • @MarkMercurio yes, /doLogin returning openId token from getOpenIdToken. /doLogin authorization is None, /showProfile authorization is AWS_IAM. if I call /doLogin no error, but /showProfile gives error "Missing Authentication Token". How to use credentials to call /showProfile? – itulga Sep 20 '15 at 01:42
  • Possible duplicate of [API gateway how to pass AWS IAM authorization from rest client](http://stackoverflow.com/questions/32833331/api-gateway-how-to-pass-aws-iam-authorization-from-rest-client) – Jason Apr 25 '16 at 00:50
  • Solution using generated JS SDK here: http://stackoverflow.com/questions/39019244/api-gateway-authentication-with-cognito-federated-identities – hacklikecrack Mar 20 '17 at 10:12

1 Answers1

16

You are using the "Basic Authflow" from cognito identity, which means you will need to get credentials for your users by calling STS's "AssumeRoleWithWebIdentity". Here is some documentation to help: http://docs.aws.amazon.com/cognito/devguide/identity/concepts/authentication-flow/

Once you have credentials, you can instantiate the API Gateway Client:

var client = apigClientFactory.newClient({ 
    accessKey: ACCESS_KEY, 
    secretKey: SECRET_KEY, 
    sessionToken: SESSION_TOKEN });

The keys and tokens come from the result of the "AssumeRoleWithWebIdentity" call.

If you have configured your IAM roles, and Authorizations correctly you should be able to access your API.

Here is the documentation describing how to configure the roles & authorization: http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-method-settings.html#how-to-method-settings-callers-console

Also, here is how to enable CORS - http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-cors.html

Mark Mercurio
  • 983
  • 6
  • 9
  • should I use apigClientFactory in JS of my web interface? – itulga Sep 20 '15 at 13:48
  • What were you using previously? – Mark Mercurio Sep 20 '15 at 22:48
  • how to consume protected gateway api using AJAX request, whats are necessary headers? how to generate and set them? here is the one blog post about how to call protected gateway using ajax, on that post poster is using x-api-key header. It's like JWT token, how can I generate APIKEY or how to set keys and tokens from AssumeRoleWithWebIdentity to ajax request? http://dev.classmethod.jp/cloud/aws/call_amazon-api-gateway_from_browser/ – itulga Sep 21 '15 at 03:25
  • @user2882027 API Gateway's API keys are a whole separate thing from the JWTs generated by Amazon Cognito. If you want to protect your APIs with AWS credentials, then use the instructions Mark has given you, if you want to use API keys, then consult the [API Gateway docs](http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-api-keys.html). If you're trying to do something else, please try editing your post with more details of what you're trying to accomplish. – Bob Kinney Sep 22 '15 at 05:19
  • for some reason I can't invoke apigate way with the keys and token returned from AssumeRoleWithWebIdentity. I have an Cognito_Auth_Role that has all the correct policies but I get internal server error. If I add AdminAccess to this role then it works. – johnny Apr 26 '16 at 14:45
  • FWIW, I think the best practice should be to define a lambda function that takes an authorization header (e.g. a BEARER token from an HTTP request) and run a lambda function that returns an IAM policy with the logic in this answer. This article from amazon I thought was great about it. – shicholas Sep 04 '16 at 14:04